HIPAA - Security Implementation Matrix for Business Continuity Planning and Disaster Recovery
The proposed rules for data security and electronic signature, published by the Department of Health and Human Services call for a contingency plan in the section on administrative procedures to guard data integrity, confidentiality, and availability.
The requirement states: “We would require a contingency plan to be in effect for responding to system emergencies. The organization would be required to perform periodic backups of data, have available critical facilities for continuing operations in the event of an emergency, and have disaster recovery procedures in place. To satisfy the requirement, the plan would include the following:
-
Applications and data criticality analysis
-
A data backup plan
-
A disaster recovery plan
-
An emergency mode operation plan
-
Testing and revision procedures"
The following section provides some guidelines in developing a business continuity plan and a disaster recovery plan. The section maps to several requirements, which are noted.
|
Business Continuity Planning |
Requirement |
Implementation |
|
Critical Business Function Analysis & Prioritization
|
|
|
|
1. Mapping critical business functions to applications
|
Contingency Plan |
· Applications and data criticality |
|
2. Mapping applications to technologies (platforms, LANs/WANs, data storage, imaging, EDI, etc.)
|
Contingency Plan |
· Applications and data criticality |
|
3. Impact of business cycle on prioritization (end of month, quarter-end, year-end, etc.)
|
Contingency Plan |
· Applications and data criticality |
|
4. Strategy for regular update and review
|
Contingency Plan |
· Testing and revision |
|
5. Clear statement of risk assumption |
Contingency Plan
Security Management Process
|
· Applications and data criticality analysis |
|
6. Definition of minimum acceptable level of service and detailed actions to get to that level
|
Contingency Plan |
· Risk Analysis · Risk Management · Applications Analysis and data criticality
|
|
7. Management participation and signoff on prioritization recommendations |
Contingency Plan |
· Disaster Recovery Plan · Emergency Mode Operations Plan · Applications and data criticality |
|
Manual Procedures
|
|
|
|
1. Local (desktop) transaction capture & tracking |
Media Controls |
· Data Backup · Data Storage · Disposal
|
|
2. Customer interface procedures |
Contingency Plan |
· Emergency Mode Operations Plan
|
|
3. Work-in-process (WIP) |
Media Controls |
· Data Backup · Data Storage · Disposal
|
|
4. Transaction flow |
Media Controls |
· Data Backup · Data Storage · Disposal
|
|
5. Supply Chain procedures |
Chain of Trust Partner Agreement
|
|
|
6. Forms Controls · Negotiable Documents Controls · Records Retentions · Forms Inventories |
Security Management Process
Contingency Plan
|
· Risk Management · Disaster Recovery Plan |
|
Work Around Procedures
|
|
|
|
1. Hardcopy 2. Reference Manuals 3. Contact Information 4. Procedures 5. Paper Transactions 6. Inventories a) Transactions b) Equipment c) Forms d) Personnel e) Services f) Communications |
Contingency Plan |
· Disaster Recovery Plan & · Emergency Mode Operations Plan
|
|
Business Unit Contingency Teams Organization
|
|
|
|
1. Emergency Management/Crisis Management guidelines/procedures/decisions |
Contingency Plan |
· Emergency Mode Operations Plan
|
|
2. Public relations/Media Interaction guidelines |
Contingency Plan |
· Emergency Mode Operations Plan
|
|
3. Emergency notification process and responsibilities |
Contingency Plan |
· Disaster Recovery Plan & · Emergency Mode Operations Plan
|
|
4. Hardcopy, local backup strategies |
Contingency Plan |
· Disaster Recovery Plan
|
|
5. Key vendor information |
Contingency Plan |
· Disaster Recovery Plan
|
|
6. Recovery Logistics |
Contingency Plan |
· Disaster Recovery Plan
|
|
7. Human Elements |
Contingency Plan |
· Disaster Recovery Plan
|
|
8. Teams Composition a) Skill set match b) Training c) Testing
|
Contingency Plan |
· Disaster Recovery Plan |
|
9. Specific procedures for activating and de-activating contingency operations a) Authorization to activate/de-activate b) Quantified service level thresholds for activation/de-activation c) Triggers to activate/de-activate d) Methods for quantifying degradation of service e) Responsibilities/Authorities/Accountabilities during contingency operations |
Contingency Plan |
· Disaster Recovery Plan & · Emergency Mode Operations Plan |
|
10. Voice Communications a) As part of business functions b) As part of BCP |
Contingency Plan |
· Disaster Recovery Plan & · Emergency Mode Operations Plan
|
|
11. Business Continuity Plan Controls a) Plan Distribution b) Plan Maintenance c) Plan Testing d) Responsibilities e) Authorities
|
Contingency Plan |
· Disaster Recovery Plan & · Emergency Mode Operations Plan |
|
Crisis Management Teams & Procedures
|
|
|
|
1. Crisis Management Teams a) Technical b) Functional
|
Contingency Plan |
· Emergency Mode Operations Plan |
|
2. Crisis Management Procedures a) Public Relations b) Notifications c) Escalations
|
Contingency Plan |
· Emergency Mode Operations Plan |
|
Disaster Recovery Planning |
Requirement |
Implementation |
|
Critical Applications Analysis & Prioritization |
|
|
|
1. Strategy for prioritization |
Contingency Plan |
· Applications and Data Criticality Analysis
|
|
2. Strategy for regular review & update |
Contingency Plan |
· Applications and Data Criticality Analysis · Testing and Revision
|
|
3. Change in prioritization based on shift in business cycle |
Contingency Plan |
· Applications and Data Criticality Analysis · Testing and Revision
|
|
4. Management review/signoff on prioritizations |
Contingency Plan |
· Applications and Data Criticality Analysis · Testing and Revision
|
|
5. Application dependencies/interdependencies |
Contingency Plan |
· Applications and Data Criticality Analysis
|
|
6. Mapping critical applications to business functions |
Contingency Plan |
· Applications and Data Criticality Analysis
|
|
7. Application downtime procedures |
Contingency Plan |
· Applications and Data Criticality Analysis · Disaster Recovery Plan
|
|
8. Time thresholds for invoking downtime procedures |
Contingency Plan |
· Applications and Data Criticality Analysis · Disaster Recovery Plan
|
|
Data Backup Procedures
|
|
|
|
1. File Naming Conventions 2. Records Retention Program 3. Offsite Storage a) Technology Employed b) Physical view of offsite c) Logical view of offsite d) Rotation Procedures
|
Contingency Plan & Media Controls |
· Data Backup · Data Storage · Disposal · Disaster Recovery Plan |
|
Offsite Storage Capabilities
|
|
|
|
1. Standard Physical Rotations 2. Electronic Shadowing 3. Electronic Journaling 4. Data Mirroring 5. Facility Security 6. Transport Security |
Contingency Plan & Media Controls
|
· Data Backup · Data Storage · Disposal · Disaster Recovery Plan
|
|
7. Disaster Recovery Plan Controls a) Plan Distribution b) Plan Maintenance c) Plan Testing d) Responsibilities e) Authorities
|
Contingency Plan |
· Disaster Recovery Plan
|
|
Restoration Teams and Documentation
|
|
|
|
1. Hardware Restoration/Replacement Procedures a) Service Requests b) Purchase Orders c) Supply Chain 2. Return Home Procedures a) Hardware certification b) Parallel processing c) Cutover d) Alternate Site Shutdown e) Data Disposition 1. Delete/Scratch Controls 2. DASD Overwrite Procedures 3. Physical Data Handling To/From Sites
|